aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe
Size

1.1MB
MD5

7a718ce67a46484b48fc242260ccb8b8
SHA1

a5f05a3f42ee54e61f3a9f56ecf817391e919868
SHA256

aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae
SHA512

04872d72c245a6ee7a50367828f6d64bc0520b825a61c73f9d8e1171ee5e87114e69727d398e0aff01cc9777bcecafa48731311ebb71c9a48085cb0d307a7b86
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QR:CcaClSFlG4ZM7QzMi

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2552	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2552	svchcst.exe
2944	svchcst.exe
1936	svchcst.exe
2848	svchcst.exe
1580	svchcst.exe
2204	svchcst.exe
2256	svchcst.exe
2168	svchcst.exe
2528	svchcst.exe
1232	svchcst.exe
2136	svchcst.exe
2424	svchcst.exe
1080	svchcst.exe
784	svchcst.exe
1372	svchcst.exe
1708	svchcst.exe
2760	svchcst.exe
2228	svchcst.exe
2824	svchcst.exe
1296	svchcst.exe
2372	svchcst.exe
1316	svchcst.exe
1352	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2728	WScript.exe
2728	WScript.exe
1744	WScript.exe
1656	WScript.exe
1148	WScript.exe
2900	WScript.exe
2900	WScript.exe
2276	WScript.exe
2276	WScript.exe
2276	WScript.exe
2796	WScript.exe
2796	WScript.exe
2988	WScript.exe
2988	WScript.exe
1560	WScript.exe
1560	WScript.exe
1088	WScript.exe
1088	WScript.exe
2452	WScript.exe
2452	WScript.exe
2916	WScript.exe
2916	WScript.exe
2288	WScript.exe
2288	WScript.exe
908	WScript.exe
908	WScript.exe
2516	WScript.exe
2516	WScript.exe
316	WScript.exe
316	WScript.exe
2260	WScript.exe
2260	WScript.exe
844	WScript.exe
844	WScript.exe
2136	WScript.exe
2136	WScript.exe
1864	WScript.exe
1864	WScript.exe
308	WScript.exe
308	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2872	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2872	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe
2872	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe
2552	svchcst.exe
2552	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
2528	svchcst.exe
2528	svchcst.exe
1232	svchcst.exe
1232	svchcst.exe
2136	svchcst.exe
2136	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
1080	svchcst.exe
1080	svchcst.exe
784	svchcst.exe
784	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2228	svchcst.exe
2228	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
2372	svchcst.exe
2372	svchcst.exe
1316	svchcst.exe
1316	svchcst.exe
1352	svchcst.exe
1352	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2728	2872	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe	30
PID 2872 wrote to memory of 2728	2872	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe	30
PID 2872 wrote to memory of 2728	2872	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe	30
PID 2872 wrote to memory of 2728	2872	aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe	30
PID 2728 wrote to memory of 2552	2728	WScript.exe	32
PID 2728 wrote to memory of 2552	2728	WScript.exe	32
PID 2728 wrote to memory of 2552	2728	WScript.exe	32
PID 2728 wrote to memory of 2552	2728	WScript.exe	32
PID 2552 wrote to memory of 1744	2552	svchcst.exe	33
PID 2552 wrote to memory of 1744	2552	svchcst.exe	33
PID 2552 wrote to memory of 1744	2552	svchcst.exe	33
PID 2552 wrote to memory of 1744	2552	svchcst.exe	33
PID 1744 wrote to memory of 2944	1744	WScript.exe	34
PID 1744 wrote to memory of 2944	1744	WScript.exe	34
PID 1744 wrote to memory of 2944	1744	WScript.exe	34
PID 1744 wrote to memory of 2944	1744	WScript.exe	34
PID 2944 wrote to memory of 1656	2944	svchcst.exe	35
PID 2944 wrote to memory of 1656	2944	svchcst.exe	35
PID 2944 wrote to memory of 1656	2944	svchcst.exe	35
PID 2944 wrote to memory of 1656	2944	svchcst.exe	35
PID 1656 wrote to memory of 1936	1656	WScript.exe	36
PID 1656 wrote to memory of 1936	1656	WScript.exe	36
PID 1656 wrote to memory of 1936	1656	WScript.exe	36
PID 1656 wrote to memory of 1936	1656	WScript.exe	36
PID 1936 wrote to memory of 1148	1936	svchcst.exe	37
PID 1936 wrote to memory of 1148	1936	svchcst.exe	37
PID 1936 wrote to memory of 1148	1936	svchcst.exe	37
PID 1936 wrote to memory of 1148	1936	svchcst.exe	37
PID 1148 wrote to memory of 2848	1148	WScript.exe	38
PID 1148 wrote to memory of 2848	1148	WScript.exe	38
PID 1148 wrote to memory of 2848	1148	WScript.exe	38
PID 1148 wrote to memory of 2848	1148	WScript.exe	38
PID 2848 wrote to memory of 2900	2848	svchcst.exe	39
PID 2848 wrote to memory of 2900	2848	svchcst.exe	39
PID 2848 wrote to memory of 2900	2848	svchcst.exe	39
PID 2848 wrote to memory of 2900	2848	svchcst.exe	39
PID 2900 wrote to memory of 1580	2900	WScript.exe	40
PID 2900 wrote to memory of 1580	2900	WScript.exe	40
PID 2900 wrote to memory of 1580	2900	WScript.exe	40
PID 2900 wrote to memory of 1580	2900	WScript.exe	40
PID 1580 wrote to memory of 616	1580	svchcst.exe	41
PID 1580 wrote to memory of 616	1580	svchcst.exe	41
PID 1580 wrote to memory of 616	1580	svchcst.exe	41
PID 1580 wrote to memory of 616	1580	svchcst.exe	41
PID 2900 wrote to memory of 2204	2900	WScript.exe	42
PID 2900 wrote to memory of 2204	2900	WScript.exe	42
PID 2900 wrote to memory of 2204	2900	WScript.exe	42
PID 2900 wrote to memory of 2204	2900	WScript.exe	42
PID 2204 wrote to memory of 2276	2204	svchcst.exe	43
PID 2204 wrote to memory of 2276	2204	svchcst.exe	43
PID 2204 wrote to memory of 2276	2204	svchcst.exe	43
PID 2204 wrote to memory of 2276	2204	svchcst.exe	43
PID 2276 wrote to memory of 2256	2276	WScript.exe	44
PID 2276 wrote to memory of 2256	2276	WScript.exe	44
PID 2276 wrote to memory of 2256	2276	WScript.exe	44
PID 2276 wrote to memory of 2256	2276	WScript.exe	44
PID 2256 wrote to memory of 2308	2256	svchcst.exe	45
PID 2256 wrote to memory of 2308	2256	svchcst.exe	45
PID 2256 wrote to memory of 2308	2256	svchcst.exe	45
PID 2256 wrote to memory of 2308	2256	svchcst.exe	45
PID 2276 wrote to memory of 2168	2276	WScript.exe	46
PID 2276 wrote to memory of 2168	2276	WScript.exe	46
PID 2276 wrote to memory of 2168	2276	WScript.exe	46
PID 2276 wrote to memory of 2168	2276	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe
"C:\Users\Admin\AppData\Local\Temp\aa4671ef7e0d686fdb6df7d24b74d644b7bf22c647d0f2073002b2f7891292ae.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ca9ef9cf0b8bfb49e2b4170bf050c5d5

SHA1
52082cc15f0134a8a91fb8a3228350870e14a57e

SHA256
084e0c92a6a06bc41f26b7c4bbf3b0acc012a1cc60c76f7024de4f8da2b47439

SHA512
bb63b859fc51705d01b0556ae94e0f951ea22041355bfecc6f48a2f7060ac6bbefb2d2c23643e1553e6e8ce29c8b85f258c889e07dd47f6ceef4f5413839b880

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c4a20bad462e2ead31b207cd4b0dd1b

SHA1
e6037559a47f711d0e930c907b6c33269cb8ecb9

SHA256
7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

SHA512
78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
05af61198a975b6b86bf06a2c002022f

SHA1
24afa7b9068e02efe0c6d14bc102d77077ce5a97

SHA256
b4a1e390a2504940a080d93783d22b3f23027de6d9ade048919bed8af9a3f9f2

SHA512
e13b2f56ba10329050ec814e17efae98644a47f2a1098c76fae3e59a56a33f9a70a23f8a268aaf4651a899dc3e3273cddcd2467df485b0a00af830caf34bf051

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f29ccf80af5c4e2349936d4316870b31

SHA1
f8bc24660da78a2e9862384e8b76db8d22edc6bc

SHA256
f6d4fb6a7eb6a7a33eb4da15c1b1d5e6505e2020bc78634ef3f490dcf9c9736b

SHA512
c1c9b5ecc537d307b1e247f3a70bcba41b8d685327212ccc20e35cca57eec8e0e65e4752a9248a31e3abbc227efc34e5cf4e45a38e394fb24121d0c301531cc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1fe4a8e79f4588a6c3a645a8f3a41b80

SHA1
c9eb4d995d5c31044dc57b80a10ce4d0c3b5e39a

SHA256
1392e8f22feaa6e505ebc355efae13ca17d05e4551604daae0e52dfeb5a60581

SHA512
d53075bb735618806675a74475486c90754be1979ba781c5639faf5423797bdb08939a06a33dffdd1592866d397a370a12c58f08d69281b410fe3656bab0b653

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
03308d0f2f0b03e9bdd68e1661321277

SHA1
9f68f56adceb131699b5e4dd2be38a81eacac970

SHA256
a0ceeb9bdfa330507d484277a4dbf72bc2482c4f785a278ab588028a80ba3f1b

SHA512
8d8a89af2519338e0962b92b634aaea86f45a6bc522403d2be28f3f92ed3683db3a1c475fd3bf55d0661bcc8db81b71cec833e7c4155b49585b9893d07182014

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ff8eeae2f549fe24a6b6f444a9975373

SHA1
fe4adcd8c133bb93681616092ef28ad1bec7e8a5

SHA256
c5386fa6666049d4c6b80d0c688ca620e451744f7938721e9ea3ae6fd6c04f0d

SHA512
92a37dcc41012a520a9ade3da5fb43ad50321b319168470edcc123d055da88edc747d09bb1742012e60df787ef44be47eef39c4c418db328c00027ec25f89843

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5ed37c464abf88143449a30db533c1e5

SHA1
0352b77067009d8696eb1266d4e699ab56a0b0c0

SHA256
92c096d38838c5961abc621e7fe63d58e1350f96583d459193c13493f2605e01

SHA512
95cd518ac89300d25c8c9b6640a50c3749328f588ea2aa4ef1f95e1ca8681e5f2e0c246b0ba522550f5be470174abd04d1a9cd11fc00fa88a65178d98cc25906

Download Submit
memory/2872-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download